Contrary to popular belief, criminals — insiders or outsiders — are not the most common cause of major operational failures. Technology is the biggest culprit.
The rapid adoption of artificial intelligence (AI), blockchain, robotic process automation (RPA), cloud computing and other technologies continues to transform finance. It has created a mix of technological risks that frequently disrupt firms’ delivery of important financial services (e.g., retail and wholesale banking, payments, insurance, clearing and settlement).
In a survey of 296 firms conducted in 2017 and 2018, the United Kingdom’s Financial Conduct Authority (FCA) found that the top three root causes of operational incidents were hardware and software issues, poor change management and third-party failures. The FCA also noted that nearly half of firms do not upgrade or retire old IT systems on time.
These findings, highlighted in the table below, suggest that while many organizations have been focused on addressing their cyber issues, they do not give the same level of attention to enhancing basic IT controls, such as change and patch management.
The study also suggests that while companies and boards still aim to squeeze operational cost per transaction to increase margins, many have not successfully adjusted their risk profiles and strengthened their risk mitigation measures to truly understand and tackle the intricate web of technology risks. Also, frequent media coverage on significant technology and cyber outages, together with ineffective organizational responses, indicate that some firms have not fully considered and tested how they would react to these events.
No Shortage of Regulations
Global and regional regulators are releasing guidelines and regulations to improve resilience across the sector. The European Banking Authority’s revision of outsourcing guidelines, the Australian Prudential Regulation Authority’s consultation paper on managing information security risks, the Monetary Authority of Singapore’s expansion of outsourcing guidelines to include the cloud, and the FCA’s publication of a cyber resilience questionnaire are clear indications that regulators are continuing to pile on the pressure for the financial services sector to apply necessary safeguards to address their tech pain points and blind spots and to reduce the occurrence of operational outages due to tech failure.
Through our significant and ongoing work on operational resilience, Protiviti has developed a framework that identifies the following as the critical building blocks in achieving resilient business services:
- Business Resilience — sound business resumption and recovery plans
- Cyber Resilience — robust cyber posture
- Third-Party Resilience — strong collection of third parties
- Technology Resilience — solid coverage of technology and infrastructure dependencies
These are the primary areas of focus for key regulators, including the U.K. supervisory authorities, which are taking the lead in the regulatory push to formalize operational resilience rules.
What Organizations Can Do
A technology risk framework that consists of an integrated top-down and bottom-up risk assessment methodology is a useful accelerator in identifying the pain points and risk areas across the foundational elements that can bring down an organization’s critical processes, systems or their important business services.
As illustrated below, an integrated approach provides a comprehensive view of high-risk scenarios that could threaten the viability of an organization’s important business services and operations.
The top-down risk assessment, usually conducted through one-on-one interviews or workshops with the senior management team, along with a review of policies or procedures and risk documentation. This process will provide a good indication of the big-ticket risk items that can bring down or harm mission-critical services, processes, systems and data — the things that keep C-suite leaders up at night.
Once financial institutions identify serious risk items, threat causes and potential consequences, they can then begin to map the components (e.g., technology, infrastructure and vendors) integral to mission-critical services. Companies typically uncover single points of failure at this stage, such as the legacy system or database that has not been patched or upgraded in years or the small-time tech vendor that keeps implementing faulty changes.
Businesses should conduct these risk assessments periodically to ensure they factor organizational processes or technological changes into the risk profile of critical assets and components. Depending on the maturity of an organization’s risk practices, a data-driven risk quantification method, such as FAIR (Factor Analysis of Information Risk), may need to be adopted to quantify threat events faced by the organization.
The top-down risk assessment can then be augmented with a bottom-up assessment, where management actions and risk mitigation measures (e.g., internal controls) are factored in to determine whether the organization has adequately covered its tech blind spots. This is the right time to ask the following questions:
- Have we patched our mission-critical legacy systems at the right time and with the right level of testing?
- Have we granted the right user or users with the right level of access to the right systems?
This approach provides a common platform for risk and control owners to have a meaningful dialogue about the things that should worry them. It also aligns business risks to internal technology controls, usually as part of risk and control assessments (RCAs). A centralized risk and control repository, such as a governance, risk and compliance (GRC) platform, would further enable transparency and communication on important processes, risks, controls and regulations across the three lines of defense.
To move the conversation from the IT shop to the boardroom requires a more business-oriented approach. That means translating technology risks into language business leaders can digest (e.g., How much revenue would I lose if my trading platform goes down for three hours without any workarounds at a peak time of the day?).
Overall, an integrated technology risk methodology will provide the following benefits:
- A mechanism for understanding business services and underlying components (e.g., applications, infrastructure, data) that are most critical to the organization
- Real insights into the key threats and risks that impact the business
- Improved risk reporting to enhance dialogue and risk-based decision-making around technology risks
Consumers of financial services will ultimately be affected by how well organizations identify and respond to technology failures. It is vital that financial institutions, regardless of their size and complexity, remain diligent about their tech pain points and risk areas.
Implementing the necessary risk mitigation measures and being upfront with business leadership, particularly the board, about shortfalls or needed improvements are critical measures to avoid future surprises and resilience failures.